We are happy to announce that we made some significant protection improvements for the cases when different protection modules work in cooperative mode.
Previously, whenever the PAM module was active, the Active Response protection function would not be in active mode, therefore they would not work together simultaneously. However, in the upcoming version we are implementing changes to the limits for Active Response thresholds. This will add an additional layer of protection that will come into play right after the PAMmodule finishes its work.
Enabled PAM protection in certain cases was too polite when an attacker uses aggressive scripts and continues attacking the server causing the load. From now on, Active Response will stop such attackers even with PAM enabled. It has to reduce server load, decreasing the amount of bad traffic, allowing servers to not spend resources on useless connections.
This is how it will work: at the first layer the PAM module is working as usual to block any successful authorizations from attackers. But, if the attack continues, an Active Response module will take over and block the port of an attack, without greylisting the IP address itself. This will result in a deflected attack, but will not interfere with the website functioning smoothly. This is especially useful when the same IP address shares traffic from different users.
We are gradually rolling out new OSSEC rules 3.1.0-101h and planning to finish it during the next couple of days. The following command can be used in the console to check if you have updated already
# ls /var/ossec/etc/VERSIONS/3.1.0-101h
To manually update version to the latest you can use the following command:
# imunify360-agent update ossec --force
or just wait a couple of days for the gradual rollout to make the hard work automatically.
Then you can control this feature through the Imunify360 interface. Just navigate to Settings→General, locate OSSEC/PAM settings and toggle it ON or OFF.